Privacy Policy

Last updated: May 2026

Who We Are

ZenDays is a weekly planner and time-management web application that helps users plan their week, track execution, and receive AI-powered weekly feedback. Our application URL is https://app.zendays.com.

ZenDays is operated by Forzeit Ltd, a private limited company registered in England. We are committed to protecting and respecting your privacy.

Google API Disclosures

This section discloses ZenDays’ use of Google APIs in accordance with the Google API Services User Data Policy.

Google APIs we use

Google Calendar API — used only for accounts that explicitly connect their Google account from inside the ZenDays app.

OAuth scopes we request

https://www.googleapis.com/auth/calendar.readonly — read-only access to the user’s calendar events.

What we do with the data

We read calendar events to display them in the user’s ZenDays weekly view, so the user can see their existing schedule alongside the tasks they plan in ZenDays.

What we do NOT do with the data

We do not sell, share, or use Google user data for advertising, and we do not use it to train AI models. Calendar data is never disclosed to third parties.

How we store it

Refresh tokens are stored encrypted in our database. Calendar events themselves are imported on-demand and are not retained beyond active use.

How users revoke access

Users can disconnect any connected Google account from the Profile page in the ZenDays app. Disconnecting revokes our access token at Google and removes the connection on our side. You can also revoke access at any time directly from your Google Account permissions page.

Limited Use disclosure

ZenDays’ use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Authentication and Account Data

When you create an account, we collect:

Full name
Email address
Encrypted password (if using email/password authentication)
Authentication tokens and session data

If you sign in with Google OAuth, we also receive:

Your email address
Your basic profile information (name and profile picture)

Your authentication credentials are managed by Supabase, our authentication provider, and are stored with industry-standard encryption and security practices.

User Profile and Planning Data

As you use ZenDays, we store the data you create inside the app:

Profile preferences and account settings
Weekly plan templates and recurring week structures
Tasks, goals, and notes
Execution history (which tasks you completed, when, and any feedback you added)
Connected calendar metadata (which Google account is connected, last-sync timestamps)

This data is stored securely in our database and is accessible only to you through your account. It is used solely to provide the planning, tracking, and feedback features of the Service.

AI-Powered Features (Ava)

ZenDays includes an AI assistant called Ava, who generates personalised weekly feedback based on your execution data — for example, your completion rate, recurring blockers, and patterns across weeks.

To produce Ava’s output, we send the relevant subset of your plan and execution data to a third-party AI provider. We:

Send the minimum data necessary to produce the requested feedback
Do not use your data to train AI models
Do not share your data with other ZenDays users

For information on how our AI provider processes data, please review the provider’s privacy policy.

Payment Information

ZenDays uses Stripe to process subscription payments. We do not directly store your credit card information or full payment details. When you subscribe:

Stripe securely processes and stores your payment information
We store only your Stripe customer ID and subscription ID to manage your subscription status
We track subscription start dates, status (active, cancelled), and plan information
Payment history and billing details are managed through Stripe’s secure billing portal

For more information on how Stripe handles your payment data, please review Stripe’s Privacy Policy.

Usage Data and Analytics

To improve the Service and understand how users interact with the app, we collect:

Page views and navigation patterns
Feature usage statistics
Session duration and activity timestamps
Browser type and device information

This data is used solely to improve our application, identify popular features, and optimise the user experience. It is aggregated and anonymised where possible and is never sold to third parties.

Cookies

We use cookies and similar technologies to manage your session and improve your experience:

Authentication cookies

When you log in, we set authentication cookies to keep you logged in across sessions. These cookies contain session tokens and are essential for the application to function.

Session storage

We use browser localStorage to store your authentication state and preserve your session during payment redirects to Stripe. This ensures you remain logged in after completing a payment.

Embedded Content from Other Websites

Pages on this site or in the app may include embedded content such as YouTube videos. Embedded content from other websites behaves in the exact same way as if you visited that website directly.

These websites may collect data about you, use cookies, embed additional third-party tracking, and monitor your interaction with that embedded content, including tracking your interaction if you have an account and are logged in to that website.

Your data is shared only with the following service providers who help us operate ZenDays:

Supabase — database hosting, authentication, and file storage
Stripe — payment processing and subscription management
Google — OAuth authentication and (optionally, when you connect a Google account) Google Calendar API for read-only calendar access
Our AI provider — to produce Ava’s weekly feedback (see “AI-Powered Features” above)
Customer.io — email lifecycle communications: we sync your email address, name, and subscription status to send onboarding emails, product updates, and account communications
The ZenDays team — your contact email may be accessed by authorised members of the ZenDays team for customer support and service delivery

All third-party service providers are contractually obligated to protect your data and use it only for the purposes of providing services to us.

How Long We Retain Your Data

We retain your data for as long as your account is active and for a limited period afterward:

Active users: all profile, plan, and execution data is retained while your account is active
Cancelled subscriptions: if you cancel, your account data is retained for 3 months to allow you to reactivate and recover your data
Deleted accounts: if you request account deletion, all personal data is permanently deleted within 30 days, except for data we are required to retain for legal, administrative, or security purposes (such as payment records for tax compliance)
Google Calendar events: never persisted — they are read on-demand and discarded after rendering

What Rights You Have Over Your Data

You have the following rights regarding your personal data:

Access — view all your personal data through your profile settings in the application
Rectification — edit and update your profile information at any time
Erasure — request deletion of your account and all associated data by emailing max@zendays.com
Data portability — request an exported file of all personal data we hold about you
Restriction — request that we restrict processing of your personal data in certain circumstances
Objection — object to processing of your personal data for specific purposes
Revoke Google access — disconnect any connected Google account from the Profile page in the ZenDays app

To exercise any of these rights, please contact us at max@zendays.com. We will respond to your request within 30 days.

How We Protect Your Data

We take data security seriously and have implemented multiple layers of protection:

Encryption — all data is encrypted in transit using HTTPS/TLS and at rest in our database
Token encryption — OAuth refresh tokens (including Google Calendar tokens) are encrypted at rest
Access controls — Row Level Security policies ensure users can only access their own data
Authentication — industry-standard OAuth 2.0 and secure password hashing
Regular audits — we regularly review and update our security measures
Limited access — only authorised personnel have access to production systems and data

Forzeit Ltd is committed to protecting and respecting the privacy of our users and ensuring the security of their personal data. We process personal data in accordance with the United Kingdom’s Data Protection Act 2018 and the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679.

We have implemented appropriate technical and organisational measures to safeguard personal data, including encryption, access controls, Row Level Security policies, and regular security audits. We collect and process personal data only for specified, explicit, and legitimate purposes, and we do not process data in a manner incompatible with those purposes. We retain personal data for no longer than is necessary for the purposes for which it was collected, and we ensure that personal data is accurate and kept up to date.

We recognise and respect the rights of our users under GDPR, including the right to access, rectify, erase, restrict processing, object to processing, and data portability. We have established procedures for users to exercise their rights and provide a timely response to such requests.

We are transparent about our data processing activities and provide clear information to users about the types of personal data we collect, the purposes for which it is collected, and the circumstances under which it may be shared with third parties.

Children’s Privacy

ZenDays is not directed to children under the age of 13 (or under 16 in the European Economic Area). We do not knowingly collect personal information from children. If you believe that a child has provided us with personal information, please contact us at max@zendays.com and we will promptly delete the information.

International Data Transfers

ZenDays is operated from the United Kingdom. Our service providers (including Supabase, Stripe, Google, and our AI provider) may process data outside the UK and the European Economic Area. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses to ensure your data continues to be protected.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make changes, we will update the “Last updated” date at the top of this page.

If we make material changes to how we handle your personal data, we will notify you by email or through a prominent notice within the application. We encourage you to review this privacy policy periodically to stay informed about how we are protecting your data.

Contact Us

If you have any questions, concerns, or requests related to this privacy policy or our data processing activities, please contact us at max@zendays.com.

Operated by Forzeit Ltd, a private limited company registered in England.